Thwarting Cyber ‘Predicaments’

My wife was recently robbed at gunpoint in London. Therein lies a tale.

Recently, my wife was robbed at gunpoint in London. With no money, she was unable to pay her hotel bills or return home to San Diego. Worst of all, while she still had her passport, British authorities were less than helpful, given the circumstances.

Or so I was led to believe from a breathless email subject-lined “My Predicament!!” and sent from my wife’s Yahoo account to me and several hundred residents of her email address book. A hacker had apparently cracked her password, blasted the message out to anyone he could find, and locked her out of her own account by changing the password.

My wife was with me at the time (safe and sound, of course), so we jointly fielded the dozens of phone calls and emails that began to pour in from friends and family members expressing concern over The Predicament and wondering how they could help. Most folks correctly surmised that her message was the product of a hacked account, but they wanted to be sure nonetheless.

Their fears weren’t totally unwarranted. My wife, who was born in England, actually had traveled to London without me the previous month, so a catastrophe of British proportions dwelt in the realm of the plausible—although anyone who knows her remotely well would also know that she has a strong network of folks in England, including her father, to whom she would have turned directly instead of resorting to mass email.

But while we were struggling to reassure friends and family that the message was bogus, the hacker escalated his attack by commandeering her Facebook account as well. He began engaging her friends through Facebook’s chat function, peddling the same story of a gunpoint robbery across the Atlantic. Thankfully, nobody fell for the scam, which has recently cropped up in various forms and places around the country. Having already seen two virtually identical Predicament emails from friends, I recognized my wife’s message as a hoax right away.

But the incident generated some grimly amusing anecdotes. One friend, genuinely fearing the worst, called to ask what he could possibly do to help. Only because his was the twelfth or so call I had taken during the previous 30 minutes—and because I knew I could get away with it—I played along, sounded terrified, and asked for “whatever he could spare… please!”

Another of my wife’s friends wrote back to the “cyberschmuck,” as my wife lovingly dubbed him, asking what he could do to help. The hacker retorted that he could wire money to a Western Union in Cardiff. When the friend helpfully (but falsely) responded that he happened to be in London at the time with $5,000 cash on his person, the hacker gave him a physical address for a rendezvous. We toyed with asking Scotland Yard to dispatch some bobbies to the safe house, but thought better of it.

I tried my hand at some counter-intimidation as well, telling the cyberschmuck via email and Facebook chat that he wasn’t fooling anyone and that the authorities were en route to his location. He responded by blocking my ability to email my wife’s account and by unfriending me on Facebook.

Another of my wife’s friends wrote back to the ‘cyberschmuck,’ as my wife lovingly dubbed him, asking what he could do to help.

After we’d had our fun, it took a surprisingly long time to restore my wife’s accounts. Facebook proved particularly frustrating, as the site has no customer service phone number and handles compromised accounts through a Byzantine system of emails and replacement passwords through alternate accounts (Yahoo had friendly technicians who walked us through the process by phone).

But the experience, which fortunately caused no lasting harm, taught us several key lessons about how to spot and prevent online fraud.

First, choose your passwords carefully. Your ciphers should always have alpha and numeric components and should not be based on birthdays, anniversaries, or any other number or letter combination a would-be cyberschmuck can divine from publicly (or semi-publicly) available information.

Second, change your passwords frequently. The risk of compromise rises proportionally with the length of time a password goes unchanged. I’m prompted to change the cipher controlling my work computer every 60 days or so; the more frequent, the better.

Third, maintain your passwords separately. Do not reuse the same password for multiple applications, but instead, to quote a once-popular song, “Keep ’em separated.”

To be sure, keeping multiple ciphers straight can be a challenge. I’m reminded of a friend who struggled with the many passwords her employers required her to remember in order to access various software applications. Eventually, she gave up and simply wrote them all down in large print on a piece of paper she tacked to her cubicle.

Fourth, secure your home-based wireless Internet. For no good reason other than ordinary laziness, we’d never protected our wireless router with a password (I shouldn’t say “we”; this was my job, long procrastinated). While it’s unlikely that the cyberschmuck—who no doubt was based in Nigeria or the former Soviet bloc—infiltrated my wife’s accounts by driving around our neighborhood armed with a high-powered sniffer (especially since we were out of town when the attack happened), we should have secured our wireless long ago. So should you. It only takes an hour or so on the phone with your router’s Bangalore-based tech support, or five minutes with the help of a techie friend.

Following these commonsense steps will hopefully keep you from encountering cyber trouble. And while you’re at it, be cautious when walking the streets of London, too.

Michael M. Rosen is an intellectual property attorney in San Diego and writes frequently for THE AMERICAN about technology. Reach him at [email protected]